The main components used for remote management of Windows and Windows servers are the following:
- Remote Desktop Protocol (
RDP) - Windows Remote Management (
WinRM) - Windows Management Instrumentation (
WMI)
RDP
https://github.com/CiscoCXSecurity/rdp-sec-check
WinRM
WinRM relies on TCP ports 5985 and 5986 for communication, with the last port 5986 using HTTPS, as ports 80 and 443 were previously used for this task. However, since port 80 was mainly blocked for security reasons, the newer ports 5985 and 5986 are used today.
Nmap WinRM
nmap -sV -sC 10.129.201.248 -p5985,5986 --disable-arp-ping -n
The Test-WsMan cmdlet is responsible for this, and the host’s name in question is passed to it. In Linux-based environments, we can use the tool called evil-winrm, another penetration testing tool designed to interact with WinRM.
evil-winrm -i 10.129.201.248 -u Cry0l1t3 -p P455w0rD!
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\Cry0l1t3\Documents>
WMI
https://github.com/Hackplayers/evil-winrm
Footprinting the Service
The initialization of the WMI communication always takes place on TCP port 135, and after the successful establishment of the connection, the communication is moved to a random port. For example, the program wmiexec.py from the Impacket toolkit can be used for this.
rdp-sec-check.pl <FQDN/IP> |
Check the security settings of the RDP service. |
xfreerdp /u:<user> /p:"<password>" /v:<FQDN/IP> |
Log in to the RDP server from Linux. |
evil-winrm -i <FQDN/IP> -u <user> -p <password> |
Log in to the WinRM server. |
wmiexec.py <user>:"<password>"@<FQDN/IP> "<system command>" |
Execute command using the WMI service. |